 All right, we all do it together. Thank you very much. My name is Omri Ghazid. I am the co-founder and CEO of Asserto, which is a developer platform for building fine-grained, policy-based, real-time access control for cloud-native applications. We're also the primary maintainers of Topaz, which is an open-source authorization project for API and application authorization. And both of those projects are heavy users of the open policy agent, OPA. And so we care a lot about secure software supply chains for OPA policies. And I'll talk a little bit about how we do that. So first of all, OPA policies are becoming important application lifecycle artifacts. And as such, they need to be secured. They're used in Kubernetes Admission Control, ConfTest, which is applying policy for configuration files. You can use OPA as a general decision engine that you can embed into your application. And you can also use it for app and API authorizations, like I said, with Topaz. So what's so hard about securing OPA policies? Well, policies are, by default, built into tar balls. And tar balls don't really lend themselves well to secure software supply chains. And so fortunately, in the ecosystem, we have the Open Container Initiative, OCI. It's been around for about eight years. Linux Foundation Project, and now has been taught to be able to contain other artifacts besides docker images. And so at the same time, we want the docker workflow for being able to build and tag and push and pull policies, just like docker containers. And for that, we have the Open Policy Containers Project, which is a CNCF sandbox project, for doing exactly that. The third thing we need is metadata. So we need to be able to store signatures and things like that and verify signatures. And fortunately, OCI allows us to do that. And then last but not least, we have six store, which is the cosine tool is quickly emerging as the way to be able to compute signatures over images and verify those signatures. So let's talk about how these pieces all fit together. Like I said, policy, the policy CLI is the docker workflow for OPA policies. And I can show, as opposed to tell, I have a gist here that you can click the link on. I'm going to save you the effort of installing various things and start this by using the policy CLI to create a sample hello world. And because I can't really type and use the mic at the same time, I'm going to use the up arrow key as my friend here. So this basically went off and created a hello world rego file. And I am going to be able to build a policy image, just like Docker build. We give it a source directory and a container image and a tag. And it will go build for us. And in fact, the policy CLI allows you to list images. So this one was created 10 seconds ago. And lastly, we can push it to a container registry. Here we're using GHCR, GitHub Container Registry. So as simple as that, building these things. Next, we want to be able to sign them. So we're going to use Cosign for that. And again, I'm going to pick the story up. Rather than generate a key pair in front of your very eyes and all that, I'm just going to use Cosign to sign the container image that we just created. So here it's complaining that I'm passing it a tag instead of a signature. Ignore that. I'm going to verify that signature. So it's going to go out, look up the annotation, and indeed it has actually verified the signature based on the public file, the public key file that we created. So those are the components of being able to build this into a secure software supply chain. Last thing in the last 30 seconds I'll talk about is how do you actually tell OPA to use one of these container images? Well, you create a new service of type OCI, give it some credentials. And then in the bundles, you pass in as the resource the fully qualified container image. Topaz does the same thing. You can use Topaz Configure, pass it as a resource, a container image, and it'll go do its thing. That's all the time we have. If you want the slides and the clickable links, scan the QR code. And you can always find me after for more questions. Thank you very much.